AD group membership

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

AD group membership

Munroe Sollog
I have successfully configured freeradius to authenticate against AD using
the winbind socket (not the ntlm_auth command).  I find myself needing to
also authorize based on AD group membership, more precisely based on
negative group membership (We maintain a "deny wireless" group).  It seems
like I could use the LDAP module and test for the group there, but I
noticed that the ntlm_auth command supports some notion of group checking
through the '--require-membership-of=STRING' option.  It follows that
winbind has access to AD groups and could be used to check.  I haven't been
able to find any guidance on the freeradius.org documentation site, so I
was wondering if there is a preferred method for AD-based group checking
when using winbind.



--
Munroe Sollog
Senior Network Engineer
[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: AD group membership

Alan DeKok-2
On Jan 13, 2020, at 5:02 PM, Munroe Sollog <[hidden email]> wrote:
>
> I have successfully configured freeradius to authenticate against AD using
> the winbind socket (not the ntlm_auth command).

  That's good.

>  I find myself needing to
> also authorize based on AD group membership, more precisely based on
> negative group membership (We maintain a "deny wireless" group).  It seems
> like I could use the LDAP module and test for the group there, but I
> noticed that the ntlm_auth command supports some notion of group checking
> through the '--require-membership-of=STRING' option.

  That requires membership in a particular group.  It does *not* do negative group checking.

>  It follows that
> winbind has access to AD groups and could be used to check.  I haven't been
> able to find any guidance on the freeradius.org documentation site, so I
> was wondering if there is a preferred method for AD-based group checking
> when using winbind.

  The --require-membership-of option is *only* good if you need to require membership of one, and only one group.  If you need to check multiple groups, it doesn't work.  If you need to do negative group checking, it doesn't work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: AD group membership

Matthew Newton-3
In reply to this post by Munroe Sollog
On Mon, 2020-01-13 at 17:02 -0500, Munroe Sollog wrote:
> I haven't been able to find any guidance on the freeradius.org
> documentation site, so I was wondering if there is a preferred method
> for AD-based group checking when using winbind.

LDAP.

There's basic group lookup in rlm_winbind in v4, but that's not
available in v3. Even so, LDAP is still recommended.

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: AD group membership

Munroe Sollog
In reply to this post by Alan DeKok-2
Using this as a guide:

https://wiki.freeradius.org/modules/Rlm_ldap#group-support

I configured the ldap module for my AD server.  However, I was unsure
regarding the post-auth section in the guide.  I ended up adding a
"function" to the policy.d folder (not sure if that's a debian-only folder
or not) and referencing that function as the first line in the
authorize section of my enabled site.  I recognize there are many ways to
get to the same result, but I thought I'd ask the experts, is there a
reason to use the post-auth section rather than the authorize section?
Seems like the group check naturally fits into "is this user authorized to
use this service".

On Mon, Jan 13, 2020 at 5:19 PM Alan DeKok <[hidden email]>
wrote:

> On Jan 13, 2020, at 5:02 PM, Munroe Sollog <[hidden email]> wrote:
> >
> > I have successfully configured freeradius to authenticate against AD
> using
> > the winbind socket (not the ntlm_auth command).
>
>   That's good.
>
> >  I find myself needing to
> > also authorize based on AD group membership, more precisely based on
> > negative group membership (We maintain a "deny wireless" group).  It
> seems
> > like I could use the LDAP module and test for the group there, but I
> > noticed that the ntlm_auth command supports some notion of group checking
> > through the '--require-membership-of=STRING' option.
>
>   That requires membership in a particular group.  It does *not* do
> negative group checking.
>
> >  It follows that
> > winbind has access to AD groups and could be used to check.  I haven't
> been
> > able to find any guidance on the freeradius.org documentation site, so I
> > was wondering if there is a preferred method for AD-based group checking
> > when using winbind.
>
>   The --require-membership-of option is *only* good if you need to require
> membership of one, and only one group.  If you need to check multiple
> groups, it doesn't work.  If you need to do negative group checking, it
> doesn't work.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--
Munroe Sollog
Senior Network Engineer
[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html